CVE-2026-49490 | THREATINT

Description

OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.

PUBLISHED Reserved 2026-05-31 | Published 2026-05-31 | Updated 2026-05-31 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

Any version

affected

References

github.com/...enCATS/security/advisories/GHSA-gmpc-j6h7-vw74 (GHSA Advisory GHSA-gmpc-j6h7-vw74) vendor-advisory

www.vulncheck.com/...atagrid-filter-handling-for-tags-column (VulnCheck Advisory: OpenCATS - SQL Injection in DataGrid Filter Handling for Tags Column) third-party-advisory

cve.org (CVE-2026-49490)

nvd.nist.gov (CVE-2026-49490)

Download JSON